cloud-sdk-js: Not able to fetch X-CSRF-Token from onPremise system
Describe the bug Dear SDK Team,
I am not able to fetch X-CSRF-Tokens anymore within @sap-cloud-sdk/http-client in version 3.5.0.
The “csrf-middleware” results every time in 500 http status error:
If I do fire the same HEAD request, the SDK is generating to fetch the X-CSRF-Token within postman, I do get a 200 status code within an X-CSRF-TOKEN back from the onPremise system (see expected behavior below).
This seems to be an issue between the SDK and axios. But I am not able to debug the boilerplate efficiently to identify the reason for it. Can you please try to replicate fetching X-CSRF-Tokens from an onPremise system (via Cloud Connector) with your “csrf-middleware”?
To Reproduce Steps to reproduce the behavior:
- Create a VDM within Entities you can post something to
- Set up a Create or Update statement ( without
skipCsrfTokenFetching()😉 ) - Execute the request and you’ll receive a http 500 status error
Expected behavior
Instead of failing within http 500 status, the middleware should get the X-CSRF-TOKEN from the onPremise system, like it’s done and feasible with postman (btw: via the same cloud-connector-ssh tunnel acting as proxy). I did copy exact every header-property, the baseurl and url to postman and did use the proxy via the SAP CC:
Success!
Used Versions:
- node version via 18.15.0
- npm version: 9.5.0
- SAP Cloud SDK version : 3.5.0
Impact / Priority Affected development phase: Release Impact: Blocked Timeline: UAT in 4 weeks
Kind Regards, Cedric
About this issue
- Original URL
- State: closed
- Created 9 months ago
- Reactions: 1
- Comments: 15 (8 by maintainers)
(btw, version 3.6.0 is out with the fix 🥳)
Hey @drvup, I cannot confirm what exactly caused the issue to pop up right now, however I can see that it occurs in the cloud connector when using the http(s)-proxy-agent. I believe, that the Cloud Connector behaves differently than in the past. We used the http(s)-proxy-agent lib, because in the past axios’ proxy configuration used to not work correctly. Since axios has released version 1, it seems to work - all our tests pass and I even added a few new ones. I am working on a release right now and expect to release a productive version soon.
This is actually reproducible and I had the same issue. The problem here is the data property as @drvup pointed out. The same doesn’t work when you’re doing a POST as well. I guess it has to do something with how the http-agent is processing the request. It adds the HTTP headers twice in the request when data is supplied when I monitored the request using tcpdump.
Using the axios native proxy options should work as it is working with this library: https://github.com/jowavp/sap-cf-destconn
Hey @drvup and @manu-r, thank you for your patience. The latest canary version (3.5.1-20230929112632.0) should fix the issue using the default axios proxy configuration options. I was able to confirm this through my e2e tests as well as with another user. I still want to ensure that the combination of proxy configuration and client certificate works before releasing a new version, as axios had issues with this in the past.
Thanks @manu-r - good news and good idea to observe your tcp-data! 🦈 So this seems to be a major thing @marikaner for not-GET-requests as it’s a huge impact. Can you raise the criticality on this issue?
Thanks 😃
It seems that this solves the CSRF issue, but then the subsequent request through the Cloud Connector fails.
Hey @marikaner , was thinking about it again and wanted to share my 2 cents with you. I mean, yes, it’s not necessary to send any payload within a HEAD request, but anyhow, this shouldn’t result in http status 500. So I did the same with postman (and the SSH tunnel via SAP CC) and I can send any payload without receiving 500.
Having that in mind, it seems to be about the data I am sending. In the comment above, the
makeCsrfRequest()does send data “{}” within the HEAD request. So it’s not about the data, but maybe about the encoding?Hey @drvup, thank you for the thorough replication steps, I will try to reproduce this and let you know once I know more.